CISOs find themselves increasingly engaged directly with their Board and Executives because the Board and Execs see the volume and impact of security incidents increasing. In fact, Oxford Economics just reported that serious breaches permanently shave nearly 2% off public company value. This is in addition to the substantial expense ($4 million per breach on average) and turmoil organizations experience when incidents do occur. Executives and Boards are left wondering if management understands the risk – where it resides, how much it is, and whether it is being adequately addressed.
When CISOs get the call from their boards and Execs, they are often not able to answer these questions and to converse in a way the Execs and Board want. CISOs are extraordinarily adept at understanding security risk that arises around the technologies employed by their organization but translating their technical understanding into business terms can be difficult. Communicating technical risk into business risk is a paradigm shift for most organizations. Effective information security programs are becoming “Business Driven Security” programs.
RSA just released a Security for Business Innovation Council Report regarding this problem, “What Boards Want to Know and CISOs Need to Say” that discusses the translation of security leadership into board value. A Business Driven Security strategy is core to the translation of CISO technical expertise into Board terminology but it also enables CISOs to better understand where they should implement technical and organizational measures to protect the most important information to the organization. This understanding can be more easily conveyed to the Board and executive team before spending millions of dollars on security initiatives and human resources. It provides the what, where, how, and why they are spending the money, that it’s being spent properly, on the biggest risks, and that there are procedures to monitor that the spend has been effective. In my next blog I will describe how you can use RSA Archer to drive a Business Driven Security strategy.
|Update your feed preferences|
Earlier in this blog series, we discussed anomaly detection and machine learning focusing primarily on examples that included information you could expect to be available from the system that provides your identity assurance. It’s likely, however, that there is much more data that can be leveraged for making system access decisions in your current IT ecosystem. Your threat detection system, Cloud Access Security Brokers (CASB), enterprise mobility management tool, and physical security system all have data that can provide insight into your identity assurance system and impact your strategy.
When building out your identity assurance strategy, be sure to look at the active system management and security tools and ask yourself a simple question: What information from these existing tools do I wish our identity system knew?
How would this work? Let’s review a few common examples.
Threat Detection (including SIEM, CASB)
The key to both of these is that the correct alerts are triggering the appropriate additional access security in real time. In addition to real-time threats, many of these tools also have additional risk analytics. When this risk analytics data is available, it should work with the risk analytics of the identity assurance system to raise or lower confidence in a user’s identity, impacting the authentication requirements.
Enterprise Mobility Management (EMM)
Physical Security Systems
Putting It All Together
We have spent a lot of time talking about gathering the data required to identify the correct authentication requirement for each situation. In the final blogs of this series we will cover the two final key components to a successful identity assurance strategy and they are all about the end user. Until then, take just 15 minutes to learn how RSA SecurID® Access is enabling access to the modern enterprise with identity assurance in this on-demand webinar.
The post Six Keys to Successful Identity Assurance – Broader Ecosystem appeared first on Speaking of Security – The RSA Blog.
|Update your feed preferences|
Cyberattacks on IT assets are reaching new highs. Just when you think you are caught up, another unforeseen attack vector has opened. Look at just about any security architecture – it has been implemented slowly over time in a piece-meal fashion; leaving a mix of old and new technologies and overlapping parts and pieces, with few pieces talking to each other.
CISOs looking across their security architectures can only hope their solutions will withstand the onslaught of a cyber-attack. A scary proposition indeed. Recently, a CISO for a large financial services organization shared that his security architecture is composed of over 190 products. Despite this, he still feels vulnerable.
How do you manage 190 security products? Can you imagine the overlaps and the potential for gaps?
The US National Institute of Standards and Technology published a Cybersecurity Framework, also called the CSF and just released a draft for the next version.
The Cybersecurity Framework was developed to “enable organizations to apply the principals and best practices of risk management to improve the security and resilience of critical infrastructure.” The original CSF was released in 2014 and consolidates security research, international standards, and best-practices into a comprehensive protection guide.
At a high-level, the framework has five functions, and under these functions are categories and sub-categories.
I’ll leave it to you to read the full details on the NIST Cybersecurity Framework site, but essentially the five functions boil down to:
Identify—understand your assets, risks, governance, and create a cyber-risk management strategy
Protect—protect the assets, train your people, and keep up on maintenance
Detect—create the processes and implement the technologies to detect cyber mischief, and monitor for anomalies
Respond—develop a cyber-incident response plan and continue to improve
Recover—develop a recovery plan, test it, and continue to improve
The CSF is a great way to organize approaches to cybersecurity – although at the lowest levels of the framework, reference standards and tiers of implementation, are enormously complex. One of the collaborators of the Cybersecurity Framework explained at the February 2017 RSA Conference that the latest CSF pointed to over 120 security controls in these areas. Yikes!!! There’s got to be a better way.
We have made 2017 the year of Security Transformation. Now is the time to prioritize your organization’s cyber-security practices and evolve to combat new threats. We are joining the expertise of RSA, SecureWorks, VMware, and Dell EMC to produce adaptive security products and services to help you lead your security transformation.
We’ll be starting the conversation over the next few months and will be making major announcements related to Security Transformation. We are starting the conversation at Dell EMC World this May 8-11 in Las Vegas. I’ll be leading a session titled, “Learn How to Put Security at the Very Core of Your Organization with Secure Infrastructure”.
It’s an exciting time for us at Dell Technologies and we look forward to the year of Security Transformation. I invite you to join us during this exciting time and look forward to seeing and talking with you at Dell EMC World.
The post Transforming Security for our Next Generation Systems appeared first on InFocus Blog | Dell EMC Services.
|Update your feed preferences|
Looking for information on Archer and how to get the most out of it? The Archer Information Design and Development team (formerly known as Technical Publications) has your back. I’m Elizabeth Wenzel, and I have the pleasure of managing a talented team of content developers that are working hard to deliver the information that you need to get the most value out of your Archer investment.
We are currently working to not only strengthen and deepen the coverage in the existing documentation but also to add additional content and manuals to help you on your business-driven security journey with RSA Archer. Of course, having a lot of material to use is both a blessing and a curse – you know that the information is ‘somewhere’ but where? This is where the new RSA Archer Navigator 2.0 comes in.
Use the Navigator on RSA Link to filter the Archer assets by your role and expertise in using Archer, the area you are focused on (Platform, Use Cases, and so forth), and the product version. Navigator shows you the assets that meet your filter criteria, allowing you to jump right in and get the right information so you complete your task.
While all of the documentation content, other than technical content (installation, sizing, and Archer Control Panel) is included in the Archer online Documentation system built into the Archer product, we’ve anticipated that you may have the need to access that information in a printable book format (PDF) – all of the content in the online Documentation is also available within PDF guides (the same content in two formats): What’s New Guide, Platform Administrator’s Guide, User Guide, RESTful API Guide, and Use Case Guides. Combine these with the technical documents such as Installation and Configuration Guide, and it adds up to a lot of content at your disposal! Now, I recommend you use the Navigator to hone in on just what you are looking for. If we’ve missed something, we have even provided an easy way for you to share this with us, right on the Navigator home page.
We hope you agree that the Navigator 2.0 a helpful tool; find your path to success with the RSA Archer Navigator 2.0.
Watch the RSA Navigator video to maximize your Navigator experience.
|Update your feed preferences|
So time flies… It seems like yesterday when the RSA customer community gathered in New Orleans to share experiences and learn new tactics and strategies. 2017 marked the 13th year of the RSA Archer user community summit and believe it or not, year number 14 is just around the corner. Last week, we announced the call for speakers for RSA Charge 2017 and I cannot wait to start seeing the speaker submissions flowing in.
We have put together a stellar team to construct the learning tracks to optimize your experience. As content chairperson for the RSA Archer portion of RSA Charge, I have the privilege of seeing this process unfold. While this will be my 9th user group conference with RSA and Archer, it is still inspiring to hear you tell the stories of your successes – how you overcame challenges or leveraged an innovative approach to deliver strategic value to your organization.
If you are contemplating submitting a session, know that this is a very rewarding experience. Presenting to your peers can be a bit unnerving but the satisfaction and return is well worth it. To teach others is to learn about oneself. Thinking through your experiences, applying your new found knowledge and acknowledging your successes and lessons learned is as much of a benefit as imparting your wisdom to others.
A few topics come to mind as food for thought if you are looking for ideas:
I invite all of you to take a look across your implementation of RSA Archer and pull out those nuggets to share with your peers. RSA Charge is the perfect venue to help others navigate their own challenges. Hope to see and hear you in Dallas!
Check out our webinar in preparing to submit your proposal.
|Update your feed preferences|
Before seeking an answer, let’s question the question.
I recently returned to the cybersecurity industry and (re)joined the good fight to secure the cyberworld. As the digital era unfolds, it feels good to be part of this mission-driven industry to help create a safe digital future. While a lot has changed, and there have been great advances in technology, does the cyberworld feel any safer today than before?
We are in the fight of our digital lives and the mission is certainly worthwhile.
But is the mission impossible?
The latest edition of The Economist makes a somber case that the cyberworld will forever be “hackable” and that cybersecurity is broken. The premise of this article is:
More software in more things that are more connected + More software written by non-software companies + “Ship code as fast as you can and fix it as late as you can get away with” mentality + Zero economic liability for shipping insecure code = A cyber-world that is doomed to be unsafe forever
That damning verdict can spur a few different reactions.
You could look helplessly as the very users you are trying to protect casually click socially-engineered emails as a spear pierces the shield you tried to put up. You could bemoan the fact that you are totally outnumbered by the bad guys, hanging your head in utter despair.
But those are failure-mode thinking! It’s not about numbers, it’s about strategy.
You could get angry and come out with your technology guns blazing. You could picture yourself crushing the bad guys with clever machine learning, artificial intelligence and data science.
But that is wishful thinking! The bad guys have all the same technology you do.
Or you could take a Zen approach. Before seeking answers, you could question the question. Is our mission to create an “un-hackable” cyberworld, or is it to create a safer world? You would ponder the idea that the world will forever be hackable, but our mission is not to eradicate hacking – it’s to minimize the impact of it, thereby creating a safer world.
Now that we have framed the question properly, let’s seek some answers.
Let’s begrudgingly admit: an “un-hackable world” may be mission impossible. A safer world, though, is not just possible, but quite plausible (inevitable even) if you take the right approach.
I look forward to discussing just such an approach we have developed here at RSA, the first ever pure-play cybersecurity company (yes, we have been at it for 40 years) now part of Dell Technologies – the largest privately controlled technology company. Here is a teaser to the approach: when the amount of work to be done appears overwhelming, you should factor in the business context and prioritize ruthlessly. It’s about applying business context to cybersecurity to protect what matters most and taking command of all risk. We call this Business-Driven Security™ and we launched it at RSA Conference 2017. I will dig into this more in the coming weeks and months.
|Update your feed preferences|
Wikibon just released their “2017 Big Data Market Forecast.” How rosy that forecast looks depends upon whether you look at Big Data as yet another technology exercise, or if you look at Big Data as a business discipline that organizations can unleash upon competitors and new market opportunities. To quote the research:
“The big data market is rapidly evolving. As we predicted, the focus on infrastructure is giving way to a focus on use cases, applications, and creating sustainable business value with big data capabilities.”
Leading organizations are in the process of transitioning the big data conversation from “what technologies and architectures do we need?” to “how effective is our organization at leveraging data and analytics to power our business models?”
We developed the Big Data Business Model Maturity Index to help our clients to answer that question; to be able to 1) understand where they sit today with respect to how effective they are in leveraging data and analytics to power their business models, and 2) what is the roadmap for creating sustainable business value with big data capabilities (see Figure 1).
So why do organizations struggle if it’s not a technology or an architecture challenge? Why do organizations struggle when the path is so clear, and the business and financial benefits to compelling?
I believe that organizations fail in creating sustainable business value with big data capabilities because of the Peter Principle.
“Peter Principle”: The Destroyer of Great Ideas
The Peter Principle is a management theory formulated by Laurence J. Peter in 1969. It states that the selection of a candidate for a position is based on the candidate’s performance in their current role, rather than on abilities relevant to the intended role. Thus, employees only stop being promoted once they can no longer perform effectively – that “managers rise to the level of their incompetence.”
There are two key points in this concept that are hindering the wide spread adoption of data and analytics to power – or transform – an organization’s business models:
How do you teach the existing generation of management to “think differently” about how to leverage data and analytics to power their business models? How does one get an organization to open their minds and stop focusing on just “paving the cow path,” but instead focus on data and analytics-driven innovation? Let’s try a little exercise, my guinea pigs!!
Decision Modeling: Predictions Exercise
The Challenge: Can we transform business thinking by changing the verb from “automate” to “predict?” Instead of focusing on automating what we already know, in its place let’s try focusing on “predicting” what is likely to happen and “prescribing” what actions we should take.
“Automate” assumes that the current process is the best process, when in fact; there may be opportunities to leverage new sources of data and new data science techniques to change, re-engineer or even delete the process. Can we drive a more innovative approach by instead of focusing on “automation,” we focus on what predictions (in support of key business decisions) we are trying to make and prescribing what actions we should take?
Let’s demonstrate the process using the Chipotle key business initiative of “Increase Same Store Sales.” (Note: this decision modeling exercise expands upon Step 8 in the “Thinking Like A Data Scientist” methodology).
Table 1 shows the results of this process for one use case (Increase Store Traffic Via Local Events Marketing) that supports the “Increase Same Store Sales” business initiative.
Table 1: Predictions Exercise Worksheet
In the workshop or classroom, we would repeat this process for each use case (e.g., improve promotional effectiveness, improve market basket revenues). This analytics-driven approach can bring more innovative and out-of-the box thinking to the organization.
Summary: The GE Story
A recent article titled “You Can’t Outsource Digital Transformation” discusses what GE is doing to prepare for–if not lead–digital business transformation disruption. To quote the article:
“It’s the threat of a digital competitor who skates past all the traditional barriers to entry: the largest taxi service in the world that owns no cars; or a lodging service without any real estate; or a razor blade purveyor without any manufacturing.”
The author, Aaron Darcy, describes what GE is doing to “think differently” – that is to unlearn and relearn – regarding digital business model disruption. This includes:
Nothing threatens the existence of your business like the Peter Principle. An organization’s unwillingness to “un-education / re-education” will ultimately be the undoing of the organization. Because as IDC believes “By 2018, 33% of all industry leaders will be disrupted by digitally enabled competitors.” Ouch.
The post Peter Principle: The Destroyer of Great Ideas…and Companies appeared first on InFocus Blog | Dell EMC Services.
|Update your feed preferences|
“What happened to the mobile phone charging cord?”
Every few weeks, I find myself scurrying around the house, trying to find the charging cable for my mobile phone. Actually, it’s the cable to my wife’s phone, which she usually keeps plugged in at a handy location in our kitchen. And when I find my phone’s power running low, I like to plug into that handy cable. Sometimes, my wife takes the cable to charge her phone in the car. Of course, that’s usually when I realize my phone’s battery is perilously low. Then I have to run to the other room to dig out my own cable from my backpack.
Well, you may wonder what this has to do with data centers, or you may wonder why I don’t just break down and buy another charging cable or two. The point I’m trying to make with this trivial little example is that when you share infrastructure across multiple application owners, sometimes in the heat of the immediate need you do things that unwittingly complicate life for others.
And in today’s enterprise data centers, with hundreds of applications, some of which have very complex configurations, and thousands of servers, the number of such shared connections is quite large, and the potential for trouble, especially with rapidly-changing application and infrastructure modernization initiatives, is great.
Hey, I think we’re OK, we’ve got a CMDB!
Some of you seasoned data center pros may say, hold on a minute. Isn’t this why we’ve spent years instituting change control disciplines and configuration management databases (CMDBs)? True, and these processes and databases are a great help, but sometimes the rate of change to applications and their underlying infrastructure is much faster than the rate of change in these traditional toolsets.
OK, you say, our data center housekeeping is a bit behind the curve. But that doesn’t really impact the business so it’s no big deal. Well, that may be true in the short-term. However, our experience is that it does become a big deal when you’re embarking on initiatives like data center consolidation, or modernizing applications to cloud-native platforms such as Pivotal Cloud Foundry, or modernizing your data center infrastructure.
In such situations, migrating an application from only part of the server infrastructure that it’s running on, can be risky. You can break the application, causing an interruption of a critical business process and annoying your application stakeholders. Or you can make your application configurations even more complex, with an unwieldy, hard-to-manage mix of older and newer infrastructure.
Don’t worry folks; we’re trained professionals
So you really do need to baseline the interdependencies between your applications and your infrastructure before you start on such a strategic data center initiative. But you may say, this is a big effort, and things may have changed again by the time we finish. Fortunately, today’s automated toolsets can greatly reduce the time and effort it takes to develop such a data center blueprint that documents and inventories applications as well as the underlying server infrastructure and the connections and dependencies among all of them. And keeping track of things as your migration or modernization program continues can also be done in the same automated fashion, minimizing the risks of application breakage or business interruption.
This is why Dell EMC Services advises its clients to conduct such an automated data center blueprinting exercise as a matter of course for such initiatives as data center migration, hybrid cloud deployments, application modernization and data center infrastructure upgrades.
Want to know more? At next month’s Dell EMC World, Ted Streck from Dell EMC Services consulting arm will be giving a breakout session, including a live demo of these blueprinting tools. The session is entitled “Data Center Blueprinting: The First Step to the Future is Knowing Exactly Where You Are Today” Ted will be give the presentation twice: Monday afternoon from 1:30-2:30 in Lido 3005 and again Wednesday morning from 8:30-9:30 in Marco Polo 703. If you can’t catch Ted at these times, he’ll be giving a shorter version of this presentation at the Dell EMC Services booth in the solutions showcase. Or let me know, and we can arrange a time for you to meet with Ted.
Hope to see you there!
The post Uncovering the Hidden Connections: Why Data Center Blueprinting appeared first on InFocus Blog | Dell EMC Services.
|Update your feed preferences|
A new variant of this tool, previously reported in 2013 by TrendLabs, was submitted to VirusTotal from the Philippines on March 27th, 2017. Its original filename, 2017.exe, was prescient since it has the ability to exploit CVE-2017-5638 and other previous Apache STRUTS vulnerabilities.
Table 1 Tool Details
The application decompiles cleanly with a tool like ILSpy and contains no real surprises. When the C# app is executed it runs a GUI, presenting the user with a static header (vulnerability selection and execution portion) and footer (log output box). The middle section comprises four tabs, shown in Figure 1 below.
Figure 1 Tool Overview
The first tab provides an overview of the vulnerabilities it is configured to exploit, along with handy links to documentation for each one. To use the application, you enter the URL you’d like to target and then select the exploit in a dropdown box. Then you select an HTTP Method and hit the button underneath it. If successful, the information from the targeted application will show up in the log and replace the contents of this first window.
Figure 2 Query Vulnerable Server
The second tab includes a dropdown menu of canned commands to run on the target machine, Windows and Linux shell commands are supported. Alternatively, you may select to run a batched cmd.txt from the same local directory to run on the remote target.
Figure 3 Preconfigured Queries
Figure 4 Executed Command Output
This behavior is detectable via RSA NetWitness® Endpoint and Packets. The HTML.lua parser for Packets contains code that enables finding this behavior in either the GET or POST HTTP Methods.
Figure 5 IOC Metadata
When seeing this alert, you can pivot into RSA NetWitness Endpoint, searching in Tracking Data to determine if the Apache Tomcat process executed the requested command. If so, the server is vulnerable and should be handled according to your Incident Response plan as the actors likely ran additional commands. This can be verified by hitting ctl-f and searching within NetWitness Endpoint for ‘Tomcat’ to filter on those events. The Event “Create Process” is where you’ll find the attackers command history.
Figure 6 RSA NetWitness Endpoint Event
You may also follow-up in Packets. The HTTP response will not be HTML, rather it will be raw output from the command that was run.
Figure 7 NetWitness Packets Command Execution
The third tab (Figure 8) is a webshell installer function. By default it is configured to install the JSP version of China Chopper with the default password ‘chopper’. This can be controlled with a customized version of caidao.exe or cknife. Alternatively, you can paste in your own JSP code and choose the webshell of your liking. This simple webshell is a perfect fit as the application errors on larger, fuller function webshells. Figure 9 displays the remote command execution and output. This is more of a half shell and won’t allow interactive applications such as powershell or mimikatz to properly execute.
Figure 8 Webshell Installation
Figure 9 Simple Webshell Output
The final tab (Figure 10) allows you to add a list of URL’s manually, or via a text file, in order to perform bulk scans. Anyone searching for vulnerable applications can use google dorking to find and scrape vulnerable URL’s and then bulk scan using this tool.
Figure 10 Bulk Scanning Utility
This simple tool, an evolution of a previously released tool, keeps pace with recently released vulnerabilities. When only using signature-based tools to detect and defend your network, you can easily fall prey to zero-day exploits, such as CVE-2017-5638. With comprehensive network and endpoint forensics tools that deliver data in near-real time, such as the RSA NetWitness Suite, defenders can proactively search for this behavior and find new techniques. RSA recommends proactive security; hunting versus fishing.
|Update your feed preferences|